Testing Security Onion

577 views
Skip to first unread message

Amine Morocco

unread,
Jul 5, 2016, 6:13:12 PM7/5/16
to security-onion
Hi,
Can someone show me how can I test Security Onion on a small LAN with:
- 1 Machine standalone where SO is installed (1 port for management, 1 port for snnifing with mode promisc for both interfaces)
- 1 Machine Windows XP
- 1 Machine Linux Ubuntu
- 1 Machine Windows 7
- 1 Hub (To get all packets)
- 1 router
PS:No network, just a LAN topology
Thanks.

Wes

unread,
Jul 5, 2016, 6:44:18 PM7/5/16
to security-onion

Amine,

Please do not double-post:
https://groups.google.com/forum/#!topic/security-onion/Tjalakpg1oQ

What exactly are you looking for? It sounds like you've planned out what you would like your scenario to contain.

While a tap or SPAN port is generally preferred, I believe you should be fine using the hub (with sniffing interface(s) connected to it, as well as other machines)

In regard to the interfaces, you can configure a management interface and a sniffing interface on a Security Onion machine by running through setup and choosing the "Standalone" deployment type.

From there, you could configure your management interface (manually) to sniff as well, by doing something similar to the following:

http://www.makethenmakeinstall.com/2013/02/the-security-onion-nsm-in-an-esxi-vm/#more-195

https://github.com/Security-Onion-Solutions/security-onion/wiki/NetworkConfiguration

If you like, you can install OSSEC agents on the other machines to test that particular functionality:

https://github.com/Security-Onion-Solutions/security-onion/wiki/OSSEC
https://github.com/Security-Onion-Solutions/security-onion/wiki/OSSEC#adding-agents

You can then review logs/alerts by going through the various interfaces:

https://github.com/Security-Onion-Solutions/security-onion/wiki/Sguil
https://github.com/Security-Onion-Solutions/security-onion/wiki/Squert
https://github.com/Security-Onion-Solutions/security-onion/wiki/ELSA
https://github.com/Security-Onion-Solutions/security-onion/wiki/CapMe

Keep in mind, you may need to update your systems for functionality/security improvements. You can have a look here at some scripts @SkiTheSlicer has come up with to manage Security Onion in an airgapped network:

https://github.com/Security-Onion-Solutions/security-onion/wiki/Airgapped-Networks

Hope that gets you going in the right direction.

Thanks,
Wes

Amine Morocco

unread,
Jul 9, 2016, 1:02:07 PM7/9/16
to security-onion
Thanks
Reply all
Reply to author
Forward
0 new messages